Model Checking Linearizability via Refinement

1ICFEM 2008

Model Checking Linearizability via Refinement

Yang LIU, Wei CHEN, Yanhong A. LIU, and Jun SUN

PAT: Process Analysis Toolkit

PAT is a self-contained environment for system specification, visualized simulation and automated verification.

2

http://www.patroot.com

Model Checking Linearizability via Refinement

Summary about PAT

• Main Features–MC fairness enhanced systems (vs Spin)

•Process Counter Abstraction–Refinement checking (vs FDR)–MC Real-time systems (vs Uppaal)

• Applications–MC Self-stablizing population protocol model–Verification of linearizability (this talk)–Web service conformance checking

• June 2007 to Nov 2009–C#, 1 million LOC–Visual Studio like GUI–500+ downloads, 100+ organization, 29 countries/regions–3 Modules: CSP, RTS and WS–50+ build-in examples

3

Model Checking Linearizability via Refinement

On-going and future Works

• New modules–UML, security, sensor network and privacy??

• Symbolic representation techniques, e.g. BDD

• Reduction and abstraction techniques

• Probabilistic model checking techniques

Model Checking Linearizability via Refinement

5FM 2009

Outline

•Motivations and Overview•Background

–Shared Memory Model–Linearizability Definitions

•Linearizability as Refinement Relations•Verification of Linearizability•Experiments•Related Work•Conclusion and Future Work

Model Checking Linearizability via Refinement

6FM 2009

Motivations

•Concurrent objects (shared queue, stacks) are hard to design correctly

–Exclusive access (correctness) vs. Maximum interleaving (performance)–Esp. lock-free & wait-free ones

•Linearizability [HW90] is an accepted correctness criterion for shared objects.

–A shared object is linearizable if each operation on the object can be understood as occurring instantaneously at some point, (a.k.a. linearization point)

•Automatic verification of linearizability is challenging–Rely on the knowledge of linearization points–Linearization points are hard to be statically determined

Model Checking Linearizability via Refinement

Overview of Our Approach

• Define linearizability based on refinement relations–An event-based modeling language –Semantics based on LTS

• Verify linearizability using refinement checking algorithms–Create linearizable specifications–Refinement between abstract specification and concrete implementation models

• Tool: Process Analysis Toolkit (PAT) –A toolkit for automatically analyzing event-based concurrent systems including refinement checking –Substantial Experiments: Stack, Queue, K-valued Register Mailbox[DISC’08], SNZI[PODC’07].

FM 2009 7

Model Checking Linearizability via Refinement

8FM 2009

Outline

•Motivations and Overview•Background

–Shared Memory Model–Linearizability Definitions

•Linearizability as Refinement Relations•Verification of Linearizability•Experiments•Related Work•Conclusion and Future Work

Model Checking Linearizability via Refinement

Shared Memory Model

• A shared memory model M, –O = (o1,…,ok) denotes the set of k shared objects,

–P = (p1,…,pn) denotes the set of n processes accessing the objects.–O support a set of operations: pairs of invocations and matching responses.

• The behaviour of M–the set of all possible sequences (trace) of invocations and responses together with the initial states of the objects.

FM 2009 9

p0: Winv(x,1) Wres(x) Rinv(y) Rres(y,2)

p1: Winv(y,2) Wres(y) Rinv(x) Rres(x,1)

Model Checking Linearizability via Refinement

Linearizability

• σ is linearizable if there exists a sequential permutation π of σ such that–1) for each object oi, π|oi is a legal sequential history (i.e. π respects the sequential specification of the objects), and–2) if op1 <σ op2, then op1 <π op2 (i.e., π respects the run-time ordering of operations).

• Examples

FM 2009 10

p0: Winv(x,1) Wres(x) Rinv(y) Rres(y,2)

p1: Winv(y,2) Wres(y) Rinv(x) Rres(x,1)

p0: Winv(x,1) Wres(x) Rinv(y) Rres(y,2)

p1: W inv(y,2) Wres(y) Rinv(x) Rres(x,1)

p0: Winv(x,1) Wres(x) Rinv(y) Rres(y,0)

p1: Winv(y,2) Wres(y) Rinv(x) Rres(x,1)

Model Checking Linearizability via Refinement

Stack Example

•High-level Linearizability vs. Low-Level Linearizability

Model Checking Linearizability via Refinement

12FM 2009

Outline

•Motivations and Overview•Background

–Shared Memory Model–Linearizability Definitions

•Linearizability as Refinement Relations•Verification of Linearizability•Experiments•Related Work•Conclusion and Future Work

Model Checking Linearizability via Refinement

Create Specification Model• Event-base formalism (e.g. CSP)• Specify each operation op of a shared object o on a

process pi using three atomic steps:

–the invocation action inv(op)i,

–the linearization action lin(op)i, and (Invisible event)

–the response action res(op, resp)i .

• Is linearizable!

FM 2009 13

Model Checking Linearizability via Refinement

Create Implementation• Consider the implementment of object o.

–The visible events of impl are also those inv(op)i 's and res(op, resp)i 's.

• Is linearizable?FM 2009 14

Model Checking Linearizability via Refinement

Linearizability as Refinement

FM 2009 15

Model Checking Linearizability via Refinement

• On-the-fly verification algorithm (DFS)

• Optimizations:–Partial Order Reduction

•||| is the main source of state space explosion•Explore only a subset of enabled transitions and yet preserve soundness.

–Symmetry Reduction•Ignore the orders of similar processes•E.g. reader ||| writer1 ||| writer2 == reader ||| writer2 ||| writer1

–Process Counter Abstraction

Refinement Checking Algorithm

16

Model Checking Linearizability via Refinement

Experiments

TASE 2009 17

Model Checking Linearizability via Refinement

Related Works

• Manual proving–Herlihy and Wing ACM Transaction 90–Vafeiadis et. al. use rely-guarantee PPoPP’06

• Using theorem provers–Doherty et. al. use simulation between I/O automata modeling the specification and implementation. FORTE'04

• Static analysis–Wang and Stoller present a static analysis that verifies linearizability for an unbounded number of threads. PPoPP’05

• Model checking–Amit et al. presented a shape difference abstraction that tracks the difference between two heaps. CAV’07–Manevich et al. SAS’08 and Berdine et al. CAV’08 extended it to handle larger number and unbounded number of threads, respectively.–Vafeiadis further improved this solution to allow linearization points in different threads. VMCAI’09–Vechev and Yahav use trace analysis. PLDI'08

FM 2009 18

Model Checking Linearizability via Refinement

19FM 2009

Conclusion

•Specify and verify linearizability using refinement relation

•Show that refinement checking algorithm behind PAT allows verifying concurrent algorithms

–without the knowledge of linearization points–fully automatically–effective reduction technique

•Formally verify Mailbox and SNZI algorithms for the first time

Model Checking Linearizability via Refinement

20FM 2009

On-going and future works

•Deal with infamous state explosion problem

•Combine different state space reduction techniques and parameterized refinement checking for infinite number of processes

Model Checking Linearizability via Refinement

21ICFEM 2008

Thank You

Model Checking Linearizability via Refinement

Modeling Language

• Shared Variables and Arrays

• Synchronization primitives in nonblocking algorithms–compare and swap (CAS) and –load linked (LL)/store-conditional (SC).

FM 2009 22

Model Checking Linearizability via Refinement

Semantics• System State : a pair (P,V)

–P is the current process expression, and –V is the current valuation of the shared variables represented as a mapping from names to values.

FM 2009 23

Model Checking Linearizability via Refinement

Refinement

• Lim = (Sim, initim,Tim) be a LTS for an implementation.

• Lsp = (Ssp, initsp,Tsp) be a LTS for a specification.

• Lim refines Lsp, iff traces(Lim) ⊆ traces(Lsp).

FM 2009 24

Model Checking Linearizability via Refinement

Back up

• Support Synchronization Primitives–Compare and Swap

–Load-linked/ Store-Conditional